HP WebScan Feature Can Expose Scanned Documents

Security researchers at Zscaler say many organizations are leaving themselves open to corporate espionage via the WebScan feature included in HP's all-in-one printers.

Research from Zscaler has exposed how a feature in Hewlett-Packard's all-in-one
printers can be abused remotely to steal scanned documents.
The feature, WebScan, allows users to remotely scan a document and
have an image of the document sent from the scanner to their Web browser.

Unfortunately, Zscaler found that oftentimes this functionality is not
password-protected and is enabled by default. During the past two weeks, Zscaler
said Aug. 31, the company turned up a number of different documents on
third-party scanners-including a signed check and a voting document.

HP did not respond to a request for comment in time for publication.
However, Zscaler Vice President of Security Research Michael Sutton said through
scanners corporations are potentially left open to the risk of leaking
confidential data.
"With limited effort, within a few hours, we were able to find
dozens of exposed scanners simply using Google [and] Bing queries," Sutton
said. "Given the popularity of HP hardware and the fact that WebScan-like
functionality has been embedded in many HP servers for years, it's reasonable
to assume that the actual number [of HP scanners accessible over the Web] is
quite high."
Sutton said in a blog post Aug. 31, "What many enterprises don't
realize is that their scanners may by default allow anyone on the LAN
to remotely connect to the scanner and ... scan and retrieve"
any document left behind. In an internal threat, a "disgruntled
employee could simply write a script to regularly run the scanner in the hopes
of capturing an abandoned document," he said.
"From the perspective of an external threat, it isn't difficult to know
who owns the IP address or domain name that the scanner is hosted on,"
Sutton said. "In general, an attacker would know exactly where the
document was coming from. Enterprises can either password-protect the WebScan
functionality or disable the Web interface altogether so that the scanner is
not remotely accessible."
By default, the scanner has a Web interface enabled, he continued.
"Simply surfing to the IP address of [the] scanner will expose the Web
interface and the WebScan functionality," he said. "The blog [post]
includes a simple Perl script that can be used to scan the LAN
to see if any HP devices are running Web servers."
In the same post, Sutton noted, "HP kindly lets you know on the home page
if sensitive functionality is password-protected by displaying the Admin
Password status alongside other status information such as printer ink levels
... [Zscaler's research found] there was a greater likelihood that HP
Photosmart scanners were not locked down as opposed to Officejet
scanners." Sutton attributed the difference to Officejet scanners being
mostly "marketed to corporate users."
He advised, "While WebScan does provide a convenient means of obtaining
a digital copy of a scanned document, this same goal could certainly be
accomplished without exposing the scanner to anyone in the office. If enabled,
enterprises should ensure that the feature is password-protected so that it
cannot be accessed by unauthorized personnel."